Question posted in 
We already create almost all our Azure resources via ARM / Bicep Templates from Azure DevOps. In an effort to minimize scripted / hand-on-keyboard resources I would like to be able to create new App Registrations from Azure DevOps pipelines.
I have a bicep file that works when deployed from my local machine, but fails when deployed via pipeline with the error:
Insufficient privileges to complete the operation. Graph client request id: 5338m403-886c-43d3-9994-e77bedd0ee20. Graph request timestamp: 2024-10-16T09:47:26Z
The Service Connection uses an App Registration with federated credentials and successfully creates other resources within the subscription.
Within Entra the Service Principal has been granted both the "Application Developer" and "Cloud Application Administrator" roles.
The relevant section of the Bicep file looks like this:
resource clientApp 'Microsoft.Graph/[email protected]' = {
uniqueName: '${uniquesuffix}'
displayName: uiAppRegName
signInAudience: 'AzureADandPersonalMicrosoftAccount'
web: {
redirectUris:[
'https://localhost:5001/signin-oidc'
'https://${uiWebAppName}.azurewebsites.net/signin-oidc'
]
implicitGrantSettings: {
enableIdTokenIssuance: true
}
}
passwordCredentials: [
{displayName: 'bicep generated secret key'}
]
}
resource clientSp 'Microsoft.Graph/[email protected]' = {
appId: clientApp.appId
}
What am I missing here
2
Answers
Turns out that what I needed was to add the API Permission of the App Registration to
Application.ReadWrite.Alland have my Entra admin apply Global ConsentI can reproduce the same error when only assign the App Registration of the service connection with "Cloud Application Administrator" role.
Solution:
Assign the App Registration of the service connection with "Application Administrator" role.